Community discussions

MikroTik App
 
lemonade12
just joined
Topic Author
Posts: 2
Joined: Fri Jul 02, 2021 12:24 am

AC2 VLANs - no DHCP address

Wed Jul 07, 2021 8:48 am

Hi!

Love these forums, I've been reading for the past few weeks getting used to my first Mikrotik, however I'm still very much a beginner.

I've been attempting to create a home setup with VLANs using Router-Switch-AP (all in one) from viewtopic.php?t=143620

However using the following modified config, my devices are unable to get any ip address when connecting via wifi or ethernet.
Im then unable to access the router via Winbox or IP, and need to reset the router to try again.

VLAN 10 - Home
VLAN 20 - IOT
VLAN 30 - Guest
VLAN 99 - MGMT/base


Setup:
home_network.png

#######################################
# VLAN Overview
#######################################

# 10 = HOME
# 20 = IOT
# 30 = Guest
# 99 = BASE (MGMT) VLAN


#######################################
# WIFI Setup
#
#######################################

# HOME SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=wlan1 ] ssid=HOME frequency=auto mode=ap-bridge disabled=no

# IOT SSID
/interface wireless security-profiles add name=iot authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan_iot ssid=IOT master-interface=wlan1 security-profile=iot disabled=no

# Guest SSID
/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan_guest ssid=GUEST master-interface=wlan1 security-profile=guest disabled=no

# Optional: BASE SSID, admin level access to Winbox the device. Use a local ethernet port if preferred.
/interface wireless security-profiles add name=Base authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan_mgmt ssid=BASE master-interface=wlan1 security-profile=Base disabled=no


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# HOME VLAN
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 interface=wlan1  pvid=10

# IOT VLAN
add bridge=BR1 interface=wlan_iot  pvid=20

# GUEST VLAN
add bridge=BR1 interface=wlan_guest  pvid=30

# BASE_VLAN
add bridge=BR1 interface=wlan_mgmt pvid=99

# egress behavior, handled automatically

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=30]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"

# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=192.168.0.1/24 network=192.168.0.0


#######################################
# IP Services
#######################################

# HOME VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=HOME_VLAN vlan-id=10
/ip address add interface=HOME_VLAN address=10.0.10.1/24
/ip pool add name=HOME_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=HOME_POOL interface=HOME_VLAN name=HOME_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# IOT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=IOT_VLAN vlan-id=20
/ip address add interface=IOT_VLAN address=10.0.20.1/24
/ip pool add name=IOT_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# GUEST VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUEST_VLAN vlan-id=30
/ip address add interface=GUEST_VLAN address=10.0.30.1/24
/ip pool add name=GUEST_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=HOME_VLAN  list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN  list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan_iot]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan_guest]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan_mgmt]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
You do not have the required permissions to view the files attached to this post.
 
erlinden
Forum Guru
Forum Guru
Posts: 1921
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: AC2 VLANs - no DHCP address

Wed Jul 07, 2021 10:03 am

Can you please post your current configuration (/export hide-sensitive file=anynameyoulike).
 
lemonade12
just joined
Topic Author
Posts: 2
Joined: Fri Jul 02, 2021 12:24 am

Re: AC2 VLANs - no DHCP address

Wed Jul 07, 2021 10:46 am

Can you please post your current configuration (/export hide-sensitive file=anynameyoulike).
Config attached thanks

This config is just before vlan filtering is turned on (which locks me out of the router & no ip)
Last edited by lemonade12 on Sun Jan 15, 2023 5:34 am, edited 1 time in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1921
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: AC2 VLANs - no DHCP address

Wed Jul 07, 2021 11:06 am

In your config I can't see the tagged bridge (BR).

You might want to leave this part out:

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

Though this is good practice, when not configured correctly it will prevent you from accessing the RB.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: AC2 VLANs - no DHCP address

Wed Jul 07, 2021 6:28 pm

Where is V99 elsewhere in your configuration?
In this case since you don't have a separate management vlan where for example the admins computer would reside, then simply drop the vlan99 WLAN altogether. NOT NEEDED.
Simply use you existing trusted home vlan as the management interface.

What do I mean?
I mean Keep parts of your Interface BASE as is.
/interface list
add name=WAN
add name=VLAN
add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=HOME_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=HOME_VLAN list=BASE

No need for base subnet or anything like that.
Firewall Rules.
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="admin access" in-interface-list=BASE
*****
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \ %%%%
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

add action=drop chain=input comment=Drop


**** consider creating a firewall access list and then using a source-address-list rule to further limit access to the router ONLY to admin devices, pc-laptop-smartphone-ipad etc)

%%% Nobody on any vlan needs access to the router ONLY to services on the router and normally the only service is DNS.

FORWARD CHAIN.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related

add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop

Finally the mac server winbox mac-server is correct already sent to interface BASE
However
the Mac only one should be set to interface=NONE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: AC2 VLANs - no DHCP address

Wed Jul 07, 2021 6:34 pm

As for the vlan settings......... just remove the vlan 99 entry
I dont see any bridge vlan filtering settings, however they will all be dynamically created but erlinden may be onto something here
so see the modifications...........

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan_iot pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan_guest pvid=30

/interface bridge vlan
add bridge=bridge tagged=bridged untagged=ether2,ether3,ether4,ether5,wlan1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan_iot vlan-ids=20
add bridge=bridge tagged=bridge untagged=wlan_guest vlan-ids=30

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 11 guests